CN109358508A - One kind being based on self study industrial control host safety protecting method and system - Google Patents
One kind being based on self study industrial control host safety protecting method and system Download PDFInfo
- Publication number
- CN109358508A CN109358508A CN201811308834.3A CN201811308834A CN109358508A CN 109358508 A CN109358508 A CN 109358508A CN 201811308834 A CN201811308834 A CN 201811308834A CN 109358508 A CN109358508 A CN 109358508A
- Authority
- CN
- China
- Prior art keywords
- data
- industrial control
- control host
- protected
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 69
- 230000006854 communication Effects 0.000 claims abstract description 174
- 238000004891 communication Methods 0.000 claims abstract description 159
- 238000012545 processing Methods 0.000 claims abstract description 60
- 238000001514 detection method Methods 0.000 claims abstract description 8
- 230000008569 process Effects 0.000 claims description 33
- 238000010586 diagram Methods 0.000 claims description 28
- 241000700605 Viruses Species 0.000 claims description 25
- 230000000903 blocking effect Effects 0.000 claims description 11
- 238000012544 monitoring process Methods 0.000 claims description 4
- 238000012512 characterization method Methods 0.000 claims description 2
- 238000010408 sweeping Methods 0.000 claims 1
- 235000013399 edible fruits Nutrition 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 230000002155 anti-virotic effect Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000002955 isolation Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000004590 computer program Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000035800 maturation Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B13/00—Adaptive control systems, i.e. systems automatically adjusting themselves to have a performance which is optimum according to some preassigned criterion
- G05B13/02—Adaptive control systems, i.e. systems automatically adjusting themselves to have a performance which is optimum according to some preassigned criterion electric
- G05B13/04—Adaptive control systems, i.e. systems automatically adjusting themselves to have a performance which is optimum according to some preassigned criterion electric involving the use of models or simulators
- G05B13/042—Adaptive control systems, i.e. systems automatically adjusting themselves to have a performance which is optimum according to some preassigned criterion electric involving the use of models or simulators in which a parameter or coefficient is automatically adjusted to optimise the performance
Landscapes
- Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Artificial Intelligence (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Computation (AREA)
- Medical Informatics (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Automation & Control Theory (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention provides one kind to be based on self study industrial control host safety protecting method and system, is related to the technical field of equipment safety, comprising: obtains the first object data that industrial control host to be protected is sent;If the first object data are the first object file; and the first object file is unknown object file; then the first object file is handled; the first processing result is obtained, the first object file is the file destination of the pending safety detection stored in the storage equipment of the industrial control host to be protected;If the first object data are the communication flows data of the industrial control host to be protected; and the communication flows data are unknown communication data on flows; then the communication flows data are handled; second processing is obtained as a result, solving the existing industrial control host means of defence technical problem poor to the security protection of industrial control host.
Description
Technical field
The present invention relates to equipment safety technical fields, are based on self study industrial control host security protection side more particularly, to one kind
Method and system.
Background technique
In traditional industrial control system field, the network of industrial control system takes physically-isolated mode, entirely
The security protection of control system is in " running nakedly " state, that is, safety protection equipment is not present, and system mend does not also update always.By
In physical isolation, specialized protocol the reason of, also less generation security incident.With shake net virus attack Iran nuclear power station in 2010
It is exposed, shows that being considered opposite all the time seals for Ukraine's power grid attack to Black Energy for the previous period
Close, the industrial control system of profession and safety has become the target of attack of hacker, illegal tissue, isolation not can solve safety and ask
Topic, and quickly propelling with industrial information process, the collaboration between realization system are shared with information, industrial control system
Also previous closure has gradually been broken, the region of isolation connects in some way originally, this makes Industry Control system
System will also face traditional information security threats such as virus, wooden horse, hacker attacks, refusal service, and safety problem can be more tight
It is high.
In view of the above-mentioned problems, not putting forward effective solutions also.
Summary of the invention
In view of this, being based on self study industrial control host safety protecting method the purpose of the present invention is to provide one kind and being
System, to alleviate the existing industrial control host means of defence technical problem poor to the security protection of industrial control host.
In a first aspect, the embodiment of the invention provides one kind to be based on self study industrial control host safety protecting method, this method
It include: the first object data for obtaining industrial control host to be protected and sending;If the first object data are the first object text
Part, and the first object file is unknown object file, then handles the first object file, obtain the first processing
As a result, wherein first processing result is for characterizing the operation process for whether blocking the first object file, and described first
File destination is the file destination of the pending safety detection stored in the storage equipment of the industrial control host to be protected;If described
First object data are the communication flows data of the industrial control host to be protected, and the communication flows data are unknown communication stream
Data are measured, then the communication flows data is handled, obtains second processing result, wherein the second processing result is used
The corresponding communication process of the communication flows data whether is blocked in characterization.
It further, include the cryptographic Hash of at least one default file in the default file list;Judge described first
Whether file destination is unknown object file, is specifically included: calculating the cryptographic Hash of the first object file;By first mesh
The cryptographic Hash of mark file is compared with the cryptographic Hash in the default file list;If comparison result is the default file name
The cryptographic Hash of the first object file is not included in list, it is determined that the first object file is unknown object file.
Further, judge whether the communication flows data are unknown communication data on flows, specifically include: determining first
Whether the messaging parameter of the communication flows data between industrial control host to be protected and the second industrial control host to be protected meets communication network
Network figure, wherein first industrial control host to be protected be industrial control host to be protected in receive the communication flows data wait protect
Industrial control host is protected, second industrial control host to be protected is to send in other industrial control hosts to the described first industrial control host to be protected
The industrial control host to be protected of the communication flows data includes multiple industrial control hosts to be protected in the diagram of communications networks, described
Diagram of communications networks is used to characterize the messaging parameter of the communication flows data between any two industrial control host to be protected;If not being inconsistent
It closes, it is determined that the communication flows data are the unknown communication data on flows.
Further, the messaging parameter comprises at least one of the following: the IP address of each industrial control host to be protected, each
The MAC Address of industrial control host to be protected, the port communicated between each industrial control host to be protected, each industry control master to be protected
Communication protocol between machine.
Further, if carrying out the tupe that processing includes: the server to the first object file is that height can
In the case where with mode, then virus scan is carried out to the first object file;If it is determined that in the first object file not
Comprising virus, then the operation process for the first object file of letting pass;If the tupe of the server is high safety mode
In the case where, then block the operation process of the first object file.
Further, if carrying out the tupe that processing includes: the server to the communication flows data is that height can
In the case where with mode, then the corresponding communication process of the communication flows data of letting pass;If the tupe of the server is
In the case where high safety mode, then the corresponding communication process of the communication flows data is blocked.
Further, the method also includes: first processing result or the second processing result are sent to pipe
Reason person's terminal, so that the administrator terminal shows first processing result or the second processing result.
Further, the second target data that the industrial control host to be protected is sent is obtained according to predetermined period, wherein institute
Stating the second target data includes following at least one: the second file destination, the cryptographic Hash of second file destination, described second
The messaging parameter of the registry data of file destination, process data, the communication flows data, the communication flows data, institute
Stating the second file destination is the whole got from the storage equipment of the industrial control host to be protected according to the predetermined period
File;Virus scan is carried out to second file destination, whether is judged in second target data comprising virus;If it is not,
Then the cryptographic Hash of second file destination and second file destination is added in the default file list, and is based on
Second target data constructs diagram of communications networks.
Second aspect, the embodiment of the invention provides one kind to be based on self study industrial control host security protection system, the system
It include: acquiring unit, the first execution unit and the second execution unit, wherein the acquiring unit is for obtaining industry control to be protected
The first object data that host is sent;If first execution unit is the first object text for the first object data
Part, and the first object file is unknown object file, then handles the first object file, obtain the first processing
As a result, wherein first processing result is for characterizing the operation process for whether blocking the first object file, and described first
File destination is the file destination of the pending safety detection stored in the storage equipment of the industrial control host to be protected;Described
If two execution units are used for the communication flows data that the first object data are the industrial control host to be protected, and the communication
Data on flows be unknown communication data on flows, then the communication flows data are handled, obtain second processing as a result, its
In, the second processing result is for characterizing whether block the corresponding communication process of the communication flows data.
Further, the system also includes the first monitoring units, for judging whether the first object file is not
Know file destination, specifically include: calculating the cryptographic Hash of the first object file;By the cryptographic Hash of the first object file with
Cryptographic Hash in the default file list compares;If comparison result is not include described the in the default file list
The cryptographic Hash of one file destination, it is determined that the first object file is unknown object file.
In embodiments of the present invention, the first object data that industrial control host to be protected is sent are obtained, if the first object
Data are the first object file, and the first object file is unknown object file, then to the first object file
It is handled, obtains the first processing result;If the first object data are the communication flows number of the industrial control host to be protected
According to, and the communication flows data are unknown communication data on flows, then handle the communication flows data, obtain second
Processing result.
The present invention, can be to the fortune of unknown file data by handling unknown file data and position and flow data
Traveling Cheng Jinhang blocking is blocked with to the corresponding communication process of unknown flow rate data, and then is alleviated due to existing antivirus
Engine and industrial control system software are incompatible, cause existing industrial control host means of defence can not be to the virus for not generating communication flows
Program is detected and is blocked, the technical problem for causing the security protection to industrial control host poor, is improved pair to reach
The technical effect of the security protection of industrial control host.
Other features and advantages of the present invention will illustrate in the following description, also, partly become from specification
It obtains it is clear that understand through the implementation of the invention.The objectives and other advantages of the invention are in specification, claims
And specifically noted structure is achieved and obtained in attached drawing.
To enable the above objects, features and advantages of the present invention to be clearer and more comprehensible, preferred embodiment is cited below particularly, and cooperate
Appended attached drawing, is described in detail below.
Detailed description of the invention
It, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical solution in the prior art
Embodiment or attached drawing needed to be used in the description of the prior art be briefly described, it should be apparent that, it is described below
Attached drawing is some embodiments of the present invention, for those of ordinary skill in the art, before not making the creative labor
It puts, is also possible to obtain other drawings based on these drawings.
Fig. 1 is a kind of flow chart based on self study industrial control host safety protecting method provided in an embodiment of the present invention;
Fig. 2 is another flow chart based on self study industrial control host safety protecting method provided in an embodiment of the present invention;
Fig. 3 is another flow chart based on self study industrial control host safety protecting method provided in an embodiment of the present invention;
Fig. 4 is a kind of schematic diagram based on self study industrial control host security protection system provided in an embodiment of the present invention;
Fig. 5 is a kind of schematic diagram of server provided in an embodiment of the present invention.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with attached drawing to the present invention
Technical solution be clearly and completely described, it is clear that described embodiments are some of the embodiments of the present invention, rather than
Whole embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art are not making creative work premise
Under every other embodiment obtained, shall fall within the protection scope of the present invention.
Embodiment one:
According to embodiments of the present invention, one kind is provided based on self study industrial control host safety protecting method embodiment, is needed
Illustrate, step shown in the flowchart of the accompanying drawings can be in a computer system such as a set of computer executable instructions
It executes, although also, logical order is shown in flow charts, and it in some cases, can be to be different from herein suitable
Sequence executes shown or described step.
Fig. 1 is according to an embodiment of the present invention a kind of based on self study industrial control host safety protecting method, as shown in Figure 1,
This method comprises the following steps:
Step S102 obtains the first object data that industrial control host to be protected is sent;
Step S104, if the first object data are the first object file, and the first object file is not
Know file destination, then the first object file is handled, obtain the first processing result, wherein the first processing knot
Fruit is the industry control to be protected for characterizing the operation process for whether blocking the first object file, the first object file
The file destination of the pending safety detection stored in the storage equipment of host;
Step S106, if the first object data are the communication flows data of the industrial control host to be protected, and described
Communication flows data be unknown communication data on flows, then the communication flows data are handled, obtain second processing as a result,
Wherein, the second processing result is for characterizing whether block the corresponding communication process of the communication flows data.
The present invention, can be to the fortune of unknown file data by handling unknown file data and position and flow data
Traveling Cheng Jinhang blocking is blocked with to the corresponding communication process of unknown flow rate data, and then is alleviated due to existing antivirus
Engine and industrial control system software are incompatible, cause existing industrial control host means of defence can not be to the virus for not generating communication flows
Program is detected and is blocked, the technical problem for causing the security protection to industrial control host poor, is improved pair to reach
The technical effect of the security protection of industrial control host.
In embodiments of the present invention, judge whether the first object file is unknown object file, is specifically included as follows
Step:
Step S11 calculates the cryptographic Hash of the first object file;
Step S12 carries out the cryptographic Hash in the cryptographic Hash of the first object file and the default file list pair
Than;
Step S13, if comparison result is the cryptographic Hash for not including the first object file in the default file list,
Then determine that the first object file is unknown object file.
In embodiments of the present invention, when the first object data got are first object file (that is, industry control master to be protected
The file destination of the pending safety detection stored in the storage equipment of machine) when, then calculate the cryptographic Hash of the first object file.
Then, the cryptographic Hash of the first object file and the cryptographic Hash in default file list are compared.
It should be noted that including the cryptographic Hash of at least one default file in above-mentioned default file list, text is preset
Part list is also generally referred to as white list.
If comparing result is the cryptographic Hash for not including first object file in default list, then first can be determined
File destination is unknown object file.
By preset list in whether include first object file cryptographic Hash, judge whether first object file is unknown
File data, due to there was only identical two files, cryptographic Hash is only identical, therefore carries out disconnected the by cryptographic Hash
Whether one file destination is unknown file data, and judging result accuracy is high, and then can effectively avoid the occurrence of erroneous judgement, causes
The case where now detecting failure.
In embodiments of the present invention, judge whether the communication flows data are unknown communication data on flows, are specifically included
Following steps:
Step S21 determines the communication flows data between the first industrial control host to be protected and the second industrial control host to be protected
Messaging parameter whether meet diagram of communications networks, wherein first industrial control host to be protected be industrial control host to be protected in connect
Receive the industrial control host to be protected of the communication flows data, second industrial control host to be protected in other industrial control hosts to institute
The industrial control host to be protected that the first industrial control host to be protected sends the communication flows data is stated, includes in the diagram of communications networks
Multiple industrial control hosts to be protected, the diagram of communications networks are used to characterize the communication stream between any two industrial control host to be protected
Measure the messaging parameter of data;
Step S22, if not meeting, it is determined that the communication flows data are the unknown communication data on flows.
In embodiments of the present invention, when the first object data got are communication flows data, then needing to judge should
Whether the messaging parameter of communication flows data meets diagram of communications networks.
It should be noted that including multiple industrial control hosts to be protected in diagram of communications networks, and the diagram of communications networks is used for table
Levy the messaging parameter of the communication flows data between any two industrial control host to be protected.
In addition, it should also be noted that, comprising at least one of the following messaging parameter in above-mentioned diagram of communications networks: each wait protect
The IP address of industrial control host is protected, the MAC Address of each industrial control host to be protected is communicated between each industrial control host to be protected
Port, the communication protocol between each industrial control host to be protected.
When judging result be the communication flows data do not meet diagram of communications networks, then can determine that the communication flows data are
Unknown communication data on flows.
For example, can first determine to receive the communication stream in industrial control host to be protected when getting communication flows data
First industrial control host to be protected of amount data receives the first ports of the communication flows data, and to the first industry control master to be protected
The second industrial control host to be protected that machine sends communication flows data sends the second port of the communication flows data.
When first port and second port do not meet the first industrial control host to be protected and second in diagram of communications networks wait protect
When shield industrial control host carries out the port set when the transmission of communication flows data, it is determined that the communication flows data are unknown communication stream
Measure data.
In embodiments of the present invention, include the following steps: as shown in Fig. 2, carrying out processing to the first object file
Step S31, if in the case that the tupe of the server is High Availabitity mode, to the first object text
Part carries out virus scan;
Step S32, however, it is determined that go out and do not include virus, then the first object file of letting pass in the first object file
Operation process;
Step S33, if blocking first object file in the case that the tupe of the server is high safety mode
Operation process.
In embodiments of the present invention, after judging first object file is unknown object file, if server uses
Tupe be High Availabitity mode, then then to first object file carry out virus scan.
If scanning result is not include virus, the operation for the first object file of letting pass long in first object file
Process.
If the tupe that server uses is high security mode, the fortune of the first object file is directly blocked
Traveling journey.
Server by using above two different tupe, protect by the safety that can satisfy different industrial control host systems
Shield demand.
In embodiments of the present invention, processing is carried out to the communication flows data to include the following steps:
Step S41, if in the case that the tupe of the server is High Availabitity mode, the communication flows of letting pass
The corresponding communication process of data;
Step S42, if blocking the communication flows in the case that the tupe of the server is high safety mode
The corresponding communication process of data.
In embodiments of the present invention, after judging communication flows data is unknown communication data on flows, if server
Tupe when using High Availabitity mode, then the corresponding communication process of communication flows data of then letting pass, thus guarantee to
Protect the normal operation of industrial control equipment.
If the tupe of server uses high security mode, the corresponding communication of communication flows data is blocked
Process, and then reach the technical effect that safeguard protection is carried out to industrial control equipment to be protected.
In embodiments of the present invention, as shown in figure 3, the method also includes following steps:
First processing result or the second processing result are sent to administrator terminal, so that institute by step S108
It states administrator terminal and shows first processing result or the second processing result.
It in embodiments of the present invention, will after server completes the processing to unknown object file or unknown flow rate data
Obtained the first processing result or second processing result is sent to administrator terminal, so that administrator terminal shows the first processing knot
Fruit or second processing are as a result, fail-safe condition so as to make administrator's timely learning industrial control equipment to be protected.
In embodiments of the present invention, the method also includes following steps:
Step S51 obtains the second target data that the industrial control host to be protected is sent according to predetermined period, wherein institute
Stating the second target data includes following at least one: the second file destination, the cryptographic Hash of second file destination, described second
The messaging parameter of the registry data of file destination, process data, the communication flows data, the communication flows data, institute
Stating the second file destination is the whole got from the storage equipment of the industrial control host to be protected according to the predetermined period
File;
Step S52 carries out virus scan to second file destination, judge in second file destination whether include
Virus;
Step S53, if it is not, being then added to the cryptographic Hash of second file destination and second file destination described
In default file list, and it is based on second target data, constructs diagram of communications networks.
In embodiments of the present invention, in order to determine default list and diagram of communications networks, institute can be obtained according to predetermined period
State the second target data that industrial control host to be protected is sent.
It should be noted that above-mentioned predetermined period can be by administrator's sets itself according to the actual situation, in the present invention
It is not specifically limited in embodiment.
In addition, it should also be noted that, the second target data includes: the second file destination, second file destination
Cryptographic Hash, the registry data of second file destination, process data, the communication flows data, the communication flows number
According to messaging parameter, and second file destination be set according to the predetermined period from the storage of the industrial control host to be protected
The all files got in standby,
In addition, it should also be noted that, the registry data of the second file destination is work locating for industrial control host to be protected
All registry keys relevant to file self-starting operation in control system.
Process data includes: all processes being currently running of industrial control system locating for industrial control host to be protected and process are closed
System, each corresponding cryptographic Hash of process being currently running and each process being currently running and the Dynamic link library library text of load
Part.
The parameter of communication flows data includes: process file when being communicated between each industrial control host to be protected, connects
Receive the end of the address ip of the industrial control host to be protected of communication flows data, the industrial control host to be protected for receiving communication flows data
Mouthful, receive communication flows data industrial control host to be protected the address mac, send communication flows data industrial control host to be protected
The address ip, send communication flows data industrial control host to be protected port, send communication flows data industry control to be protected
The parameters such as the address mac of host, protocol type, communication time.
After getting the second target data, virus scan is carried out to the second file destination in the second target data, such as
Virus is not included in the second file destination of fruit, then being just added to the cryptographic Hash of the second file destination and the second file destination pre-
If in file list.
Finally, constructing diagram of communications networks according to the second target data.
By obtaining the second target data according to predetermined period, so that self-learning module carries out self study, and then to default
File list and diagram of communications networks can get the second target data according to each predetermined period and be updated, thus raising pair
The protective capability of industrial control host safety to be protected.
Embodiment two:
The present invention also provides one kind to be based on self study industrial control host security protection system, and the system is for executing the present invention
It is based on self study industrial control host safety protecting method provided by embodiment above content, is provided in an embodiment of the present invention below
Specific introduction based on self study industrial control host security protection system
As shown in figure 4, the system includes: acquiring unit 10, the first execution unit 20 and the second execution unit 30, wherein
The acquiring unit 10 is used to obtain the first object data that industrial control host to be protected is sent;
If first execution unit 20 is used for the first object data as the first object file, and described first
File destination is unknown object file, then handles the first object file, obtain the first processing result, wherein institute
The first processing result is stated for the operation process for whether blocking the first object file to be characterized, the first object file is institute
State the file destination of the pending safety detection stored in the storage equipment of industrial control host to be protected;
If second execution unit 30 is the communication stream of the industrial control host to be protected for the first object data
Data are measured, and the communication flows data are unknown communication data on flows, then handle the communication flows data, obtain
Second processing result, wherein the second processing result is for characterizing whether block the corresponding communication of the communication flows data
Process.
The present invention, can be to the fortune of unknown file data by handling unknown file data and position and flow data
Traveling Cheng Jinhang blocking is blocked with to the corresponding communication process of unknown flow rate data, and then is alleviated due to existing antivirus
Engine and industrial control system software are incompatible, cause existing industrial control host means of defence can not be to the virus for not generating communication flows
Program is detected and is blocked, the technical problem for causing the security protection to industrial control host poor, is improved pair to reach
The technical effect of the security protection of industrial control host.
Optionally, the system also includes the first monitoring units, for judging whether the first object file is unknown
File destination specifically includes: calculating the cryptographic Hash of the first object file;By the cryptographic Hash of the first object file and institute
The cryptographic Hash stated in default file list compares;If comparison result is not include described first in the default file list
The cryptographic Hash of file destination, it is determined that the first object file is unknown object file.
Optionally, the system also includes the second monitoring units, for judging whether the communication flows data are unknown
Communication flows data, specifically include: determining the communication stream between the first industrial control host to be protected and the second industrial control host to be protected
Whether the messaging parameter of amount data meets diagram of communications networks, wherein first industrial control host to be protected is industry control master to be protected
The industrial control host to be protected of the communication flows data is received in machine, second industrial control host to be protected is other industrial control hosts
The middle industrial control host to be protected that the communication flows data are sent to the described first industrial control host to be protected, the diagram of communications networks
In include multiple industrial control hosts to be protected, the diagram of communications networks is for characterizing between any two industrial control host to be protected
The messaging parameter of communication flows data;If not meeting, it is determined that the communication flows data are the unknown communication data on flows.
Optionally, first execution module is also used to: if the tupe of the server is the feelings of High Availabitity mode
Under condition, then virus scan is carried out to the first object file;If it is determined that not including virus in the first object file, then
It lets pass the operation process of the first object file;If in the case that the tupe of the server is high safety mode,
Block the operation process of first object file.
Optionally, second execution module is also used to: if the tupe of the server is the feelings of High Availabitity mode
Under condition, then the corresponding communication process of the communication flows data of letting pass;If the tupe of the server is high safety mode
In the case where, then block the corresponding communication process of the communication flows data.
Optionally, the system also includes transmission unit, for by first processing result or the second processing knot
Fruit is sent to administrator terminal, so that the administrator terminal shows first processing result or the second processing result.
Optionally, the system also includes self study units, for obtaining the industry control master to be protected according to predetermined period
The second target data that machine is sent, wherein second target data includes following at least one: the second file destination, described
The cryptographic Hash of second file destination, the registry data of second file destination, process data, the communication flows data,
The messaging parameter of the communication flows data, second file destination are according to the predetermined period from the industry control to be protected
The all files got in the storage equipment of host;Virus scan is carried out to second file destination, judges described second
Whether include virus in file destination;If it is not, then the cryptographic Hash of second file destination and second file destination is added
It adds in the default file list, and is based on second target data, construct diagram of communications networks.
Referring to Fig. 5, the embodiment of the present invention also provides a kind of server 100, comprising: processor 50, memory 51, bus 52
With communication interface 53, the processor 50, communication interface 53 and memory 51 are connected by bus 52;Processor 50 is for executing
The executable module stored in memory 51, such as computer program.
Wherein, memory 51 may include high-speed random access memory (RAM, Random Access Memory),
It may further include non-labile memory (non-volatile memory), for example, at least a magnetic disk storage.By extremely
A few communication interface 53 (can be wired or wireless) is realized logical between the system network element and at least one other network element
Letter connection, can be used internet, wide area network, local network, Metropolitan Area Network (MAN) etc..
Bus 52 can be isa bus, pci bus or eisa bus etc..The bus can be divided into address bus, data
Bus, control bus etc..Only to be indicated with a four-headed arrow convenient for indicating, in Fig. 5, it is not intended that an only bus or
A type of bus.
Wherein, memory 51 is for storing program, and the processor 50 executes the journey after receiving and executing instruction
Sequence, method performed by the system that the stream process that aforementioned any embodiment of the embodiment of the present invention discloses defines can be applied to handle
In device 50, or realized by processor 50.
Processor 50 may be a kind of IC chip, the processing capacity with signal.During realization, above-mentioned side
Each step of method can be completed by the integrated logic circuit of the hardware in processor 50 or the instruction of software form.Above-mentioned
Processor 50 can be general processor, including central processing unit (Central Processing Unit, abbreviation CPU), network
Processor (Network Processor, abbreviation NP) etc.;It can also be digital signal processor (Digital Signal
Processing, abbreviation DSP), specific integrated circuit (Application Specific Integrated Circuit, referred to as
ASIC), ready-made programmable gate array (Field-Programmable Gate Array, abbreviation FPGA) or other are programmable
Logical device, discrete gate or transistor logic, discrete hardware components.It may be implemented or execute in the embodiment of the present invention
Disclosed each method, step and logic diagram.General processor can be microprocessor or the processor is also possible to appoint
What conventional processor etc..The step of method in conjunction with disclosed in the embodiment of the present invention, can be embodied directly in hardware decoding processing
Device executes completion, or in decoding processor hardware and software module combination execute completion.Software module can be located at
Machine memory, flash memory, read-only memory, programmable read only memory or electrically erasable programmable memory, register etc. are originally
In the storage medium of field maturation.The storage medium is located at memory 51, and processor 50 reads the information in memory 51, in conjunction with
Its hardware completes the step of above method.
In addition, in the description of the embodiment of the present invention unless specifically defined or limited otherwise, term " installation ", " phase
Even ", " connection " shall be understood in a broad sense, for example, it may be being fixedly connected, may be a detachable connection, or be integrally connected;It can
To be mechanical connection, it is also possible to be electrically connected;It can be directly connected, can also can be indirectly connected through an intermediary
Connection inside two elements.For the ordinary skill in the art, above-mentioned term can be understood at this with concrete condition
Concrete meaning in invention.
In the description of the present invention, it should be noted that term " center ", "upper", "lower", "left", "right", "vertical",
The orientation or positional relationship of the instructions such as "horizontal", "inner", "outside" be based on the orientation or positional relationship shown in the drawings, merely to
Convenient for description the present invention and simplify description, rather than the system of indication or suggestion meaning or element must have a particular orientation,
It is constructed and operated in a specific orientation, therefore is not considered as limiting the invention.In addition, term " first ", " second ",
" third " is used for descriptive purposes only and cannot be understood as indicating or suggesting relative importance.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,
The specific work process of system and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In several embodiments provided herein, it should be understood that disclosed system, system and method, it can be with
It realizes by another way.System embodiment described above is only schematical, for example, the division of the unit,
Only a kind of logical function partition, there may be another division manner in actual implementation, in another example, multiple units or components can
To combine or be desirably integrated into another system, or some features can be ignored or not executed.Another point, it is shown or beg for
The mutual coupling, direct-coupling or communication connection of opinion can be through some communication interfaces, system or unit it is indirect
Coupling or communication connection can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple
In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme
's.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit
It is that each unit physically exists alone, can also be integrated in one unit with two or more units.
It, can be with if the function is realized in the form of SFU software functional unit and when sold or used as an independent product
It is stored in the executable non-volatile computer-readable storage medium of a processor.Based on this understanding, of the invention
Technical solution substantially the part of the part that contributes to existing technology or the technical solution can be with software in other words
The form of product embodies, which is stored in a storage medium, including some instructions use so that
One computer equipment (can be personal computer, server or the network equipment etc.) executes each embodiment institute of the present invention
State all or part of the steps of method.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (ROM, Read-
Only Memory), random access memory (RAM, Random Access Memory), magnetic or disk etc. are various can be with
Store the medium of program code.
Finally, it should be noted that embodiment described above, only a specific embodiment of the invention, to illustrate the present invention
Technical solution, rather than its limitations, scope of protection of the present invention is not limited thereto, although with reference to the foregoing embodiments to this hair
It is bright to be described in detail, those skilled in the art should understand that: anyone skilled in the art
In the technical scope disclosed by the present invention, it can still modify to technical solution documented by previous embodiment or can be light
It is readily conceivable that variation or equivalent replacement of some of the technical features;And these modifications, variation or replacement, do not make
The essence of corresponding technical solution is detached from the spirit and scope of technical solution of the embodiment of the present invention, should all cover in protection of the invention
Within the scope of.Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. one kind is based on self study industrial control host safety protecting method, which is characterized in that be applied to server, comprising:
Obtain the first object data that industrial control host to be protected is sent;
If the first object data are the first object file, and the first object file is unknown object file, then
The first object file is handled, the first processing result is obtained, wherein whether first processing result is used for characterization
The operation process of the first object file is blocked, the first object file is the storage equipment of the industrial control host to be protected
The file destination of the pending safety detection of middle storage;
If the first object data are the communication flows data of the industrial control host to be protected, and the communication flows data are
Unknown communication data on flows then handles the communication flows data, obtains second processing result, wherein described second
Processing result is for characterizing whether block the corresponding communication process of the communication flows data.
2. the method according to claim 1, wherein including at least one default text in the default file list
The cryptographic Hash of part;
Judge whether the first object file is unknown object file, is specifically included:
Calculate the cryptographic Hash of the first object file;
The cryptographic Hash of the first object file and the cryptographic Hash in the default file list are compared;
If comparison result is the cryptographic Hash for not including the first object file in the default file list, it is determined that described the
One file destination is unknown object file.
3. the method according to claim 1, wherein judging whether the communication flows data are unknown communication stream
Data are measured, are specifically included:
Determining the messaging parameter of the communication flows data between the first industrial control host to be protected and the second industrial control host to be protected is
It is no to meet diagram of communications networks, wherein first industrial control host to be protected is to receive the communication stream in industrial control host to be protected
The industrial control host to be protected of data is measured, second industrial control host to be protected is to be protected to described first in other industrial control hosts
Industrial control host sends the industrial control host to be protected of the communication flows data, includes multiple works to be protected in the diagram of communications networks
Host is controlled, the diagram of communications networks is used to characterize the communication of the communication flows data between any two industrial control host to be protected
Parameter;
If not meeting, it is determined that the communication flows data are the unknown communication data on flows.
4. according to the method described in claim 3, it is characterized in that, comprising at least one of the following communication in the diagram of communications networks
Parameter: the IP address of each industrial control host to be protected, the MAC Address of each industrial control host to be protected, each industry control master to be protected
The port communicated between machine, the communication protocol between each industrial control host to be protected.
5. the method according to claim 1, wherein to the first object file carry out processing include:
If in the case that the tupe of the server is High Availabitity mode, carrying out virus to the first object file and sweeping
It retouches;
If it is determined that not including virus, then the operation process for the first object file of letting pass in the first object file;
If the tupe of the server be high safety mode in the case where, block the operation of the first object file into
Journey.
6. the method according to claim 1, wherein to the communication flows data carry out processing include:
If in the case that the tupe of the server is High Availabitity mode, the communication flows data of letting pass are corresponding logical
Letter process;
If in the case that the tupe of the server is high safety mode, blocking the communication flows data corresponding logical
Letter process.
7. the method according to claim 1, wherein the method also includes:
First processing result or the second processing result are sent to administrator terminal, so that the administrator terminal is aobvious
Show first processing result or the second processing result.
8. the method according to claim 1, wherein the method also includes:
The second target data that the industrial control host to be protected is sent is obtained according to predetermined period, wherein second number of targets
According to comprising at least one of the following: the second file destination, the cryptographic Hash of second file destination, second file destination note
The messaging parameter of volume table data, process data, the communication flows data, the communication flows data, the second target text
Part is all files got from the storage equipment of the industrial control host to be protected according to the predetermined period;
Virus scan is carried out to second file destination, whether is judged in second file destination comprising virus;
If it is not, the cryptographic Hash of second file destination and second file destination is then added to the default file list
In, and it is based on second target data, construct diagram of communications networks.
9. one kind is based on self study industrial control host security protection system, which is characterized in that the system comprises: acquiring unit, the
One execution unit and the second execution unit, wherein
The acquiring unit is used to obtain the first object data that industrial control host to be protected is sent;
If first execution unit is the first object file for the first object data, and the first object is literary
Part is unknown object file, then handles the first object file, obtain the first processing result, wherein described first
Processing result is described wait protect for characterizing the operation process for whether blocking the first object file, the first object file
Protect the file destination of the pending safety detection stored in the storage equipment of industrial control host;
If second execution unit is the communication flows data of the industrial control host to be protected for the first object data,
And the communication flows data are unknown communication data on flows, then handle the communication flows data, obtain at second
Manage result, wherein the second processing result is for characterizing whether block the corresponding communication process of the communication flows data.
10. system according to claim 9, which is characterized in that the system also includes the first monitoring units, for judging
Whether the first object file is unknown object file, is specifically included:
Calculate the cryptographic Hash of the first object file;
The cryptographic Hash of the first object file and the cryptographic Hash in the default file list are compared;
If comparison result is the cryptographic Hash for not including the first object file in the default file list, it is determined that described the
One file destination is unknown object file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811308834.3A CN109358508A (en) | 2018-11-05 | 2018-11-05 | One kind being based on self study industrial control host safety protecting method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811308834.3A CN109358508A (en) | 2018-11-05 | 2018-11-05 | One kind being based on self study industrial control host safety protecting method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109358508A true CN109358508A (en) | 2019-02-19 |
Family
ID=65343996
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811308834.3A Pending CN109358508A (en) | 2018-11-05 | 2018-11-05 | One kind being based on self study industrial control host safety protecting method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109358508A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116112380A (en) * | 2023-02-13 | 2023-05-12 | 山东云天安全技术有限公司 | Industrial control safety control system based on abnormal flow |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2005064884A1 (en) * | 2003-12-24 | 2005-07-14 | Veritas Software Corporation | Method and system for identifyingthe content of files in a network |
| WO2009042915A2 (en) * | 2007-09-26 | 2009-04-02 | Microsoft Corporation | Whitelist and blacklist identification data |
| CN103051627A (en) * | 2012-12-21 | 2013-04-17 | 公安部第一研究所 | Rebound trojan horse detection method |
| US8701194B2 (en) * | 2003-03-14 | 2014-04-15 | Websense, Inc. | System and method of monitoring and controlling application files |
| CN104991526A (en) * | 2015-05-04 | 2015-10-21 | 中国科学院软件研究所 | Industrial control system safe support framework and data safe transmission and storage method thereof |
| CN106529282A (en) * | 2016-11-10 | 2017-03-22 | 广东电网有限责任公司电力科学研究院 | Execution system and execution method for white list based on trust chain |
| CN106685953A (en) * | 2016-12-27 | 2017-05-17 | 北京安天网络安全技术有限公司 | Unknown file detection system and method based on security baseline sample machine |
| CN106845231A (en) * | 2016-12-30 | 2017-06-13 | 北京瑞星信息技术股份有限公司 | Based on safety protecting method and device under virtualized environment |
| CN107040545A (en) * | 2017-05-26 | 2017-08-11 | 中国人民解放军信息工程大学 | Project file Life cycle method for security protection |
| CN107612733A (en) * | 2017-09-19 | 2018-01-19 | 杭州安恒信息技术有限公司 | A kind of network audit and monitoring method and its system based on industrial control system |
| CN108183920A (en) * | 2018-01-23 | 2018-06-19 | 北京网藤科技有限公司 | A kind of industrial control system malicious code defending system and its defence method |
-
2018
- 2018-11-05 CN CN201811308834.3A patent/CN109358508A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8701194B2 (en) * | 2003-03-14 | 2014-04-15 | Websense, Inc. | System and method of monitoring and controlling application files |
| WO2005064884A1 (en) * | 2003-12-24 | 2005-07-14 | Veritas Software Corporation | Method and system for identifyingthe content of files in a network |
| WO2009042915A2 (en) * | 2007-09-26 | 2009-04-02 | Microsoft Corporation | Whitelist and blacklist identification data |
| CN103051627A (en) * | 2012-12-21 | 2013-04-17 | 公安部第一研究所 | Rebound trojan horse detection method |
| CN104991526A (en) * | 2015-05-04 | 2015-10-21 | 中国科学院软件研究所 | Industrial control system safe support framework and data safe transmission and storage method thereof |
| CN106529282A (en) * | 2016-11-10 | 2017-03-22 | 广东电网有限责任公司电力科学研究院 | Execution system and execution method for white list based on trust chain |
| CN106685953A (en) * | 2016-12-27 | 2017-05-17 | 北京安天网络安全技术有限公司 | Unknown file detection system and method based on security baseline sample machine |
| CN106845231A (en) * | 2016-12-30 | 2017-06-13 | 北京瑞星信息技术股份有限公司 | Based on safety protecting method and device under virtualized environment |
| CN107040545A (en) * | 2017-05-26 | 2017-08-11 | 中国人民解放军信息工程大学 | Project file Life cycle method for security protection |
| CN107612733A (en) * | 2017-09-19 | 2018-01-19 | 杭州安恒信息技术有限公司 | A kind of network audit and monitoring method and its system based on industrial control system |
| CN108183920A (en) * | 2018-01-23 | 2018-06-19 | 北京网藤科技有限公司 | A kind of industrial control system malicious code defending system and its defence method |
Non-Patent Citations (4)
| Title |
|---|
| 严彪,等: "基于白名单机制的工控分级入侵检测算法", 《通信技术》 * |
| 王朝栋,等: "基于白名单列表的SCADA网络在石化工控系统安全中的应用", 《化工自动化及仪表》 * |
| 陶耀东,等: "工业控制系统安全综述", 《计算机工程与应用》 * |
| 黄勇: "面向ICS的异常检测系统研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116112380A (en) * | 2023-02-13 | 2023-05-12 | 山东云天安全技术有限公司 | Industrial control safety control system based on abnormal flow |
| CN116112380B (en) * | 2023-02-13 | 2024-02-02 | 山东云天安全技术有限公司 | Industrial control safety control system based on abnormal flow |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109889547B (en) | Abnormal network equipment detection method and device | |
| US7877795B2 (en) | Methods, systems, and computer program products for automatically configuring firewalls | |
| US9876810B2 (en) | Systems and methods for malware lab isolation | |
| US10430586B1 (en) | Methods of identifying heap spray attacks using memory anomaly detection | |
| US9438623B1 (en) | Computer exploit detection using heap spray pattern matching | |
| US9325729B2 (en) | K-zero day safety | |
| US9762595B2 (en) | Secure cross domain solution systems and methods | |
| US10033745B2 (en) | Method and system for virtual security isolation | |
| CN109766694A (en) | Program protocol white list linkage method and device of industrial control host | |
| US10193868B2 (en) | Safe security proxy | |
| CN109067807A (en) | Safety protecting method, device and electronic equipment based on WEB application firewall overload | |
| JP6649296B2 (en) | Security countermeasure design apparatus and security countermeasure design method | |
| CN111291372B (en) | Method and device for detecting files of terminal equipment based on software gene technology | |
| CN105871811A (en) | Method for controlling rights of application and controller | |
| US20160294848A1 (en) | Method for protection of automotive components in intravehicle communication system | |
| CN110213375A (en) | A kind of method, apparatus and electronic equipment of the IP access control based on cloud WAF | |
| CN110086811A (en) | A kind of malicious script detection method and relevant apparatus | |
| CN109359467A (en) | Precise identification of unknown ransomware and network-wide linkage defense method and system | |
| CN102469098B (en) | Information safety protection host machine | |
| EP2922265A1 (en) | System and methods for detection of fraudulent online transactions | |
| Trisolino | Analysis of security configuration for IDS/IPS | |
| KR101657180B1 (en) | System and method for process access control system | |
| Maloney et al. | Cyber physical iot device management using a lightweight agent | |
| CN109358508A (en) | One kind being based on self study industrial control host safety protecting method and system | |
| CN108322454B (en) | Network security detection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190219 |